Windows client and server operating system compatibility with DNSSEC enabled root servers

Article translations Article translations
Close Close
Article ID: 2028240 - View products that this article applies to.
Expand all | Collapse all

SUMMARY

ICANN and VeriSign have configured DNS Servers hosting the root zone to use DNSSEC.

This article summarizes the impact of enabling DNSSEC on root zone DNS Servers to Windows Clients and Servers.

Collapse this tableExpand this table
OS Version and RoleImpact

Windows 2000 Professional
Windows 2000 Server
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008

No configuration change is required.

DNSSEC is a DNS Server technology. Windows DNS Clients are not impacted by DNSSEC.

DNSSEC is only enabled by DNS Servers that request DNSSEC. These Microsoft DNS Server versions are not DNSSEC aware and should not be impacted by the enabling of DNSSEC on DNS Root Zones.
Windows 7 and Windows Server 2008 R2 with DNSSEC disabled

No configuration change is required.

DNSSEC is a DNS Server technology. Windows DNS Clients are not impacted by DNSSEC

DNSSEC is only enabled by DNS Servers that request DNSSEC. DNSSEC is not enabled Windows Server 2008 R2 DNS Servers by default. Such DNS Servers should not be impacted by the enabling of DNSSEC on DNS Root Zones.


Windows Server 2008 R2 DNS Servers with DNSSEC enabled


No additional configuration change are required by the enabling of DNSSEC on root zone DNS Servers.

DNSSEC-enabled Windows Server 2008 R2 DNS Servers have been tested and verified by Microsoft to interoperate with DNSSEC enabled root zone servers on the internet.

If you wish to deploy DNSSEC, see the Microsoft DNSSEC Deployment Guide for requirements to deploy DNSSEC including large UDP packet support needed by UDP-formatted ENDS frames used by DNSSEC.



MORE INFORMATION

Several blog posts and press articles have suggested that the enabling of DNSSEC on DNS Servers hosting the Root Zone would cause DNS queries for internet names to fail.

Such articles and the deployment of DNSSEC itself have led Microsoft customers to inquire whether the DNSSEC transition on Root Zones would affect the ability of Windows clients and servers, including those hosting the Microsoft DNS Server role, to experience name resolution issues.

Impact on Microsoft Windows Clients

Windows DNS clients do not require additional configuration as a result of DNSSEC being enabled on root zone DNS Servers.

Impact on Microsoft DNS Servers

Per http://www.root-dnssec.org/2010/05/05/status-update/ DNSSEC was originally enabled on 2010.01.27 and has been systematically enabled on additional root zone servers during the months of February, March and April 2010. At the point when twelve of the thirteen root servers had been transitioned to the DURZ, no harmful effected had been identified. Had the enabling of DNSSEC on root zone DNS Servers caused a problem, it would have been observed long before the enabling of DNSSEC on the last of 13 root zones on May 5th, 2010. As of 2010.05.07, no verifiable problems have been identified the enabling of DNSSEC on root zones.

More importantly, such claims fail to consider that DNSSEC is only enabled by callers (DNS Servers) that request DNSSEC. Enabling DNSSEC on a target server, such as those hosting root zones, does not change anything in the DNS response to callers that do not request DNSSEC. This change paves the way for more EDNS use in the future, specifically for DNSSEC. Servers and clients who send DNS requests to the root servers do not have to make any changes.

Pre-Windows Server 2008 R2 DNS Servers are incapable of requesting DNSSEC functionality and require no configuration change to interoperate with DNSSEC-enabled DNS Servers hosting the Root or any other DNSSEC enabled DNS zone.

Windows Server 2008 R2 DNS Servers are DNSSEC capable but the feature is turned off by default. Such DNS Servers require no additional configuration change to interoperate with DNSSEC enabled servers and should experience no failures due to the enabling of DNSSEC on root zone servers.

Windows Server2008 R2 DNS Servers configured to use DNSSEC have been tested by Microsoft development and test teams and found to be fully interoperable with DNSSEC-enabled Root Zone servers. Administrators should be aware that the enabling of DNSSEC on Microsoft and 3rd party products implicitly enables the use of EDNS, a DNS extension that may generate large (greater than 512 byte) UDP-formatted frames to communicate data over the network.

There are known issues with network infrastructure devices such as routers and firewalls dropping, fragmenting or changing the arrival order of greater than 512 byte UDP formatted network packets generated by Kerberos or EDNS. Each case can cause DNS queries to fail. Ensure that your network infrastructure is capable of passing large UDP formatted network packets.

Per RFC 4035, UDP packet sizes up to 1220 bytes MUST be supported and packets up to 4000 bytes SHOULD be supported. Windows Server 2008 R2 uses a default packet size of 4000 bytes by default.

OARC's DNS Reply Size Test Server documents the use of a reply size test using DIG. This functionality can be replicated using the NSLOOKUP syntax:

>nslookup [-d2] -type=txt rs.dns-oarc.net. <your DNS Server IP> <- where "[-d2]" is an optional verbose logging parameter
In summary, there’s no real need for EDNS if you're not using DNSSEC. Microsoft suggests that you leave EDNS disabled. However if administrators wants to enable it, they should do so on a few machines first and test it out to make sure all Internet names are resolvable.


Related Links

Information about DNSSEC for the Root Zone
DNSSSEC unlikely to break Internet on May 5 (author: Bill Detwiler, TechRepublic)
Warning: Why your Internet might fail on May 5th (author: Brett Winterford, ITNews for Australian Business)
Will DNSSEC kill your internet? (author: Kevin Murphy, The Registry)
OARC's DNS Reply Size Test Server
The story of the Mysteriously Malfunctioning Mail Router (Aka EDNS and Exchange escapades)
Microsoft DNSSEC Deployment Guide


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2028240 - Last Review: June 4, 2010 - Revision: 5.0
APPLIES TO
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
Keywords: 
KB2028240

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com